Launchpad itself

Merge lp:~deryck/launchpad/inline-multicheckbox-xss-741624 into lp:launchpad

inline-multicheckbox-xss-741624
Merge into devel

Proposed by Deryck Hodge on 2011-04-25

Status:

Merged

Approved by:

Deryck Hodge on 2011-04-26

Approved revision:

no longer in the source branch.

Merged at revision:

12921

Proposed branch:

lp:~deryck/launchpad/inline-multicheckbox-xss-741624

Merge into:

lp:launchpad

Diff against target:

12 lines (+1/-1)

1 file modified

lib/lp/app/templates/inline-multicheckbox-widget.pt (+1/-1)

To merge this branch:

bzr merge lp:~deryck/launchpad/inline-multicheckbox-xss-741624

Critical

Fix Released

Link a bug report

Reviewer	Review Type	Date Requested	Status
Benji York (community)	code	2011-04-25	Approve on 2011-04-25
Review via email: mp+58984@code.launchpad.net

Commit message

[r=benji][bug=741624] Remove structure from where InlineMultiCheckboxWidget is initialized.

Description of the change

This removes an unnecessary use of structure in the tal that initializes the InlineMultiCheckboxWidget.

Revision history for this message

Deryck Hodge (deryck) wrote on 2011-04-25:

I welcome anyone's review here, but I'd like to get Ian to look at it since he knows the widget well. Also, I'm fairly confident there isn't an XSS vector here with Ian's earlier released fix, which is why I didn't worry with a private branch and am treating this like a follow-up/clean-up branch.

Revision history for this message

Benji York (benji) wrote on 2011-04-25:

> I welcome anyone's review here, but I'd like to get Ian to look at it since he
> knows the widget well.

The change looks fine. The structure isn't necessary here and the
generated HTML/JavaScript should be the same with or without it.

> Also, I'm fairly confident there isn't an XSS vector here with Ian's
> earlier released fix, which is why I didn't worry with a private
> branch and am treating this like a follow-up/clean-up branch.

Right, since the string is a constant there is no XSS vulnerability.

review: Approve (code)

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Barki Mustapha

Celso Providelo

Christian Reis

Christy Awad

Colin Watson

Deryck Hodge

Harpianto,ANDI

James Troup

John A Meinel

Kevin bush

Launchpad code reviewers

Launchpad code reviewers from Canonical

Matthew Tanner

Maximiliano Bertacchini

Oguz Ersoz

Simon Brakhane

Ubuntu-BR DevOps

William Grant

alexsio nau

alhawiti

api.ng

pedro cavazos

todaioan

wenjingwen

to status/vote changes:

Tzaddi

Tzaddi Belding

1	=== modified file 'lib/lp/app/templates/inline-multicheckbox-widget.pt'
2	--- lib/lp/app/templates/inline-multicheckbox-widget.pt 2011-04-11 04:45:38 +0000
3	+++ lib/lp/app/templates/inline-multicheckbox-widget.pt 2011-04-25 18:44:32 +0000
4	@@ -30,7 +30,7 @@
5	<div class="yui3-activator-message-box yui3-activator-hidden"/>
6	</span>
7	<script tal:condition="view/can_write"
8	- tal:content="structure string:
9	+ tal:content="string:
10	LPS.use('lp.app.multicheckbox', function(Y) {
11	if (Y.UA.ie) {
12	return;